Pixel cluster transit monitoring for detecting click fraud

ABSTRACT

Detecting click fraud that includes a processing device that receives data related to a cursor movement towards an advertisement displayed on a web page. The processing device analyzes the cursor movement data and determines a confidence level useable in the determination of click fraud, the confidence level responsive to the analysis of the cursor movement. The received data includes data that the cursor on the web page has transited at least one pixel cluster on the web page prior to a clicking the advertisement. In one embodiment, a click fraud is detected when the click occurred without the cursor crossing a pixel cluster, and no click fraud occurring when the click occurred after the cursor crossed a pixel cluster.

BACKGROUND OF THE INVENTION

The present invention is related to detecting click fraud, andspecifically to pixel cluster transit monitoring for detecting clickfraud.

Pay Per Click (PPC) is a market tool of the Internet and drivesbusinesses such as Google and Yahoo. In the PPC model, an Advertisercreates clickable advertisements which a Publisher (typically anunaffiliated web site) displays on their website. The Advertiser paysthe Publisher for each “click through” which a visitor to thePublisher's site generates, in essence paying for each referral. A PPCsystem is often extended to include Advertising Networks (e.g., Google)that coordinate the distribution of these advertisements, charging theAdvertisers and paying the Publishers, acting essentially as middlemenand making a profit based on the difference between what they pay thePublishers versus what they charge the Advertisers.

Click Fraud (CF) occurs when a person or organization repeatedlygenerates clicks to a PPC advertisement with the intent of generating animproper charge to the Advertiser. There are several parties who mayhave an economic motivation to commit Click Fraud.

Click Fraud is unethical and is illegal in several jurisdictions. ClickFraud may be accomplished via automated scripts (clickbots) which run indistributed networks, often using zombie machines (end-user machinescompromised by viruses) to simulate clicks from legitimate users.Estimates are that fraudulent clicks represent 2-20% of all clicks.

BRIEF SUMMARY OF THE INVENTION

According to one aspect of the present invention, a method for detectingclick fraud includes providing an advertisement on a web page, providingpixel clusters on the web page with the advertisement, each pixelcluster having an associated mechanism for capturing informationregarding the transit of the pixel cluster by a cursor on the web page;and collecting information based on the capturing of information by eachassociated mechanism, regarding the transit of the pixel cluster by acursor on the web page.

According to another aspect of the present invention, a server hosts aweb page containing an advertisement. The server may include an inputinterface capable of receiving advertisement information related to theadvertisement, a storage device capable of storing the receivedadvertisement information, and a processing device. The processingdevice may control providing the advertisement on the web page,providing pixel clusters on the web page with the advertisement, eachpixel cluster having an associated mechanism for capturing informationregarding the transit of the pixel cluster by a cursor on the web page,and collecting information based on the capturing by each associatedmechanism information regarding the transit of the pixel cluster by thecursor on the web page

According to yet another aspect of the present invention, a computerprogram product may include a computer useable medium having a computeruseable program code embodied therewith, the computer useable programcode including computer useable program code configured to provide anadvertisement on a web page, computer useable program code configured toprovide pixel clusters on the web page with the advertisement, eachpixel cluster having an associated mechanism for capturing informationregarding the transit of the pixel cluster by a cursor on the web page,and computer useable program code configured to collect informationbased on the capturing by each associated mechanism of the informationregarding the transit of the pixel cluster by a cursor on the web page.

According to another aspect of the present invention, a method fordetecting click fraud may include accessing a web page containing anadvertisement; providing at least one mechanism associated with at leastone pixel cluster on the web page, each said mechanism capturinginformation regarding the transit of the pixel cluster by a cursor onthe web page, and collecting information based on the capturing by eachassociated mechanism of information regarding the transit of the pixelcluster by a cursor on the web page

According to yet another aspect of the present invention, a deviceaccesses a server hosting a web page containing an advertisement andincludes: a network interface, the network interface allowing access tothe server, and client code. The client code may perform displaying theweb page with the advertisement, providing mechanisms associated witheach pixel cluster for capturing information regarding the transit ofthe pixel cluster by a cursor on the web page, and collectinginformation based on the capturing by each associated mechanisminformation regarding the transit of the pixel cluster by a cursor onthe web page.

According to another aspect of the present invention, a computer programproduct comprises a computer useable medium having computer useableprogram code embodied therewith, the computer useable program codeincluding computer useable program code configured to access a web pagecontaining an advertisement, computer useable program code configured toprovide mechanisms associated with each pixel cluster, each mechanismcapturing information regarding the transit of the pixel cluster by acursor on the web page, and computer useable program code configured tocollect information based on the capturing by each associated mechanismof information regarding the transit of the pixel cluster by a cursor onthe web page.

According to yet another aspect of the present invention, a method fordetecting click fraud includes: receiving data related to a cursormovement towards an advertisement displayed on a web page, analyzing thecursor movement data, and determining a confidence level useable in thedetermination of click fraud, said confidence level responsive to theanalysis of the cursor movement.

According to another aspect of the present invention, a processingdevice includes: an input interface receiving data related to a cursormovement towards an advertisement displayed on a web page; and aprocessor. The processor performing analyzing the cursor movement dataand determining a confidence level useable in the determination of clickfraud, said confidence level responsive to the analysis of the cursormovement.

According to yet another aspect of the present invention, a computerprogram product comprises a computer useable medium having computeruseable program code embodied therewith, the computer useable programcode including computer useable program code configured to receive datarelated to a cursor movement towards an advertisement displayed on a webpage, computer useable program code configured to analyze the cursormovement data, and computer useable program code configured to determinea confidence level useable in the determination of click fraud, saidconfidence level responsive to the analysis of the cursor movement.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is further described in the detailed descriptionwhich follows in reference to the noted plurality of drawings by way ofnon-limiting examples of embodiments of the present invention in whichlike reference numerals represent similar parts throughout the severalviews of the drawings and wherein:

FIG. 1 is a diagram of a system for pixel cluster transit monitoringaccording to an example embodiment of the present invention;

FIG. 2 is a diagram of a web page with pixel clusters surroundingadvertisements according to an example embodiment of the presentinvention;

FIG. 3 is a diagram of a web page where pixel clusters are located invarious places on the web page according to an example embodiment of thepresent invention;

FIG. 4 is a flowchart of a process for pixel cluster transit monitoringfor detecting click fraud according to an example embodiment of thepresent invention;

FIG. 5 is a flowchart of a process for displaying pixel clusters by aserver according to an example embodiment of the present invention;

FIG. 6 is a flowchart of a process for processing pixel clusterinformation according to an example embodiment of the present invention;and

FIG. 7 is a flowchart of a process for displaying pixel clusters by aclient device according to an example embodiment of the presentinvention.

DETAILED DESCRIPTION

As will be appreciated by one of skill in the art, the present inventionmay be embodied as a method, system, computer program product, or acombination of the foregoing. Accordingly, the present invention maytake the form of an entirely hardware embodiment, an entirely softwareembodiment (including firmware, resident software, micro-code, etc.) oran embodiment combining software and hardware aspects that may generallybe referred to herein as a “system.” Furthermore, the present inventionmay take the form of a computer program product on a computer-usablestorage medium having computer-usable program code embodied in themedium.

Any suitable computer usable or computer readable medium may beutilized. The computer usable or computer readable medium may be, forexample but not limited to, an electronic, magnetic, optical,electromagnetic, infrared, or semiconductor system, apparatus, device,or propagation medium. More specific examples (a non-exhaustive list) ofthe computer readable medium would include the following: an electricalconnection having one or more wires; a tangible medium such as aportable computer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a compact disc read-only memory (CD-ROM), or othertangible optical or magnetic storage device; or transmission media suchas those supporting the Internet or an intranet. Note that the computerusable or computer readable medium could even be paper or anothersuitable medium upon which the program is printed, as the program can beelectronically captured, via, for instance, optical scanning of thepaper or other medium, then compiled, interpreted, or otherwiseprocessed in a suitable manner, if necessary, and then stored in acomputer memory.

In the context of this document, a computer usable or computer readablemedium may be any medium that can contain, store, communicate,propagate, or transport the program for use by or in connection with theinstruction execution system, platform, apparatus, or device. Thecomputer usable medium may include a propagated data signal with thecomputer-usable program code embodied therewith, either in baseband oras part of a carrier wave. The computer usable program code may betransmitted using any appropriate medium, including but not limited tothe Internet, wireline, optical fiber cable, radio frequency (RF) orother means.

Computer program code for carrying out operations of the presentinvention may be written in an object oriented, scripted or unscriptedprogramming language such as Java, Perl, Smalltalk, C++ or the like.However, the computer program code for carrying out operations of thepresent invention may also be written in conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages.

Embodiments according to the present invention are described below withreference to flowchart illustrations and/or block diagrams of methods,apparatus (systems) and computer program products according toembodiments of the invention. It will be understood that each block ofthe flowchart illustrations and/or block diagrams, and combinations ofblocks in the flowchart illustrations and/or block diagrams, can beimplemented by computer program instructions. These computer programinstructions may be provided to a processor of a general purposecomputer, special purpose computer, or other programmable dataprocessing apparatus to produce a machine, such that the instructions,which execute via the processor of the computer or other programmabledata processing apparatus, create means for implementing thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer readablememory produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperations to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide operations for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.Alternatively, computer program implemented actions may be combined withoperator or human implemented actions in order to carry out anembodiment of the invention.

Embodiments according to the present invention guard against click fraudby validating that prior to clicking on an advertisement (ad) a cursorhas moved from its initial position when the page was loaded, to the adand in fact transited at least one pixel cluster on the way to the ad.Further, by timing the duration of the web page view, from the time itwas initially loaded to the time of the clicking on an advertisement, aconfidence measure is obtained that the sequence of web page view,transit, and click was in fact reasonable (e.g., human-like). Usingautomated mechanisms, software, or a combination thereof, entitiescommitting click fraud may determine the location of an advertisement,position the cursor over the advertisement, and then initiate a click onthe advertisement. Thus, by automatically pre-positioning the cursordirectly over the advertisement, the cursor will not have been movedfrom a source location across a pixel cluster boundary to theadvertisement. A click fraud is therefore detected since a human action(e.g., controlling the cursor with a pointing device) would not be ableto get the cursor over the advertisement without crossing a pixelcluster boundary near the advertisement.

In embodiments according to the present invention, applets may beprovided along with the web page containing the click target (i.e., thead which is to be click fraud protected). These applets are associatedwith pixel clusters that may form a perimeter around a click target orbe distributed at various places on the web page. For example, arectangular ad click target may be associated with four applets, eachcomprising a segment of a perimeter of the click target. The appletscapture cursor movement (e.g., a mouse movement) over the associatedpixel clusters and may transmit this information to an entity which willdetermine whether click fraud has been committed. This entity may be theserver that has served/provided the web page, a client device, or anyother processing device. Further, a timer associated with one of theapplets (or a fifth applet or other method) may measure how long the webpage has been viewed. This information is also sent to the entity thatwill determine whether click fraud has been committed. The data receivedby this entity, e.g., when the click occurs, the transit and the timerinformation, are used by the entity to create a confidence factor thatthe click is valid and non-fraudulent.

The server providing the web page with the advertisement and the clientdevice displaying the web page with the advertisement may have one ormore of three distinct modules, which may be co-located in manysituations or separated, but are logically distinct. For example, afirst module may take a web page with advertisements in it and insertthe pixel clusters. A second module may capture the cursor movements ofthe user leading up to the mouse click and note whether a pixel clusterwas crossed and may also time the duration of the web page view.Further, a third module may take the web page view time, the clickinformation, and the transit information and judge whether a click fraudhas occurred.

Instances where the mouse click occurred very quickly and withoutcrossing a pixel cluster would be judged to be click fraud with a highconfidence level. Those that crossed the pixel cluster and took a longerperiod of time would be judged not to be click fraud. A database ofsurveyed cursor movement data from human users can be used to adjust thethreshold values. There is inherently a tradeoff between increasing thedetection rate of actual click fraud detection and decreasing the rateof false alarms. Referencing the database of known cursor movementtiming data can allow the operator to adjust the sensitivity of thedetection algorithm to optimize it to their preferences.

It should be noted that “applets” are referred to as single example toillustrate how features of embodiments according to the presentinvention can be added to a web page. Other mechanisms that may be usedto detect cursor movement across a pixel cluster may include but are notlimited to ActiveX controls, plugins, JavaScript and other browserscripting languages, as well as browser extensions and code native tothe browser, combined with markup changes to the downloaded web page toindicate the use of these features. Any mechanism used to detect cursormovement across a pixel cluster is within the scope of embodiments ofthe present invention.

Moreover, in embodiments of the present invention, when a web page(e.g., a search results page) comes up with information andadvertisements, the cursor may be moved to a non-default location, byuse of predefined location lists, or pseudo-random generated locations.For example, currently with a popular search engine, a person can clickon “Search” and get the resulting info and the ads displayed on the webpage. Therefore, a clickbot with a predefined trajectory of cursormovement could simulate this. If the cursor is moved to a non-defaultlocation using the above means it would have to be located and thenmoved. Human characteristics of such a movement could be stored andcompared making fraud more difficult. The pixel detection clusters canthen be strategically located at various places on the page and not justnear the ads.

People committing fraud may use a recording tool to record a set ofhuman interactions which they play repetitively. Various testing toolssuch as those by IBM Rational have the ability to record andautomatically replay human interactions as part of forming a testbucket, for automated testing. According to embodiments of the presentinvention, an applet associated with the search page (or other method),could calculate a signature, including timing, trajectory, and the like.These signatures could be recorded and matched. As human behavior is not100% the same each time, the perfection of reproduction would bedetected as possible fraudulent activity.

FIG. 1 shows a diagram of a system for pixel cluster transit monitoringaccording to an example embodiment of the present invention. This system100 may include one or more workstations 101, 103 and one or moreservers 102, 104, 106 where each may be connected to a network 110, forexample, the Internet. Each workstation includes a browser 130 thatprovides the capability to access a web page and prepare the web pagefor display on a screen, and a network interface 131 providingconnection to the network 110 for accessing the web page. Although notshown, the workstations 101, 103 may also include a processor, memory,one or more data input devices such as a keyboard and/or a pointingdevice such as a mouse, a display. Each server 102, 104, 106 may includeone or more processors 121, one or more storage devices 122, and one ormore input interface 120. Further, although not shown, the servers 102,104, 106 may include a display, a network interface, and other itemsnormally associated with a server. The processors may control activitiesas well as perform various types of processing. The input interface maybe a device that receives data, receives keystrokes, receives portablestorage devices, be a pointing device, or any other type device thatprovides input to the server. In addition, the workstations 101, 103 andthe servers 102, 104, 106 may each be capable of receiving softwareinstructions stored on a storage medium, (e.g., a compact disk (CD),diskette, tape, etc.), that may be inserted into the workstations 101,103 and/or the servers 102, 104, 106. Each workstation 101, 103 and eachserver 102, 104, 106 may have the same cursor cluster transit processingcapability. However, to illustrate the present invention, oneworkstation 101 and one server 102 will be discussed.

A company, publisher or other entity that manages a server 102 may hosta website on the server 102 where the website provides content as wellas advertisements for advertisers that pay the publisher to includeclickable advertisements on the website of the publisher. The advertisermay pay the publisher for each “click through” which a visitor to thepublisher's site (hosted by the server 102), generates. A visitor oruser may access the website hosted by the server 102 via the network 110using a workstation 101 or other computing type device. The workstation101 may access the website hosted on the server 102 via a network 110such as the Internet.

The server 102 generates and downloads the web page which may includemarkup that enables the cursor tracking, the web page viewing durationtiming, and the pixel clusters. In the case of downloaded code (e.g.,applets, activeX, Javascript, etc.) the server 102 may also serve thiscode for initial download. The actual timing, click detection, and pixeltransiting processing may all be done in software code on theworkstation 101 (i.e., client device), whether downloaded from theserver 102, natively built into the browser installed on the clientdevice 101, or other client device software.

Moreover, the signature information for the clicks, the timings, and thetransit info, may be sent from the workstation/client device 101 to aserver 102, 104, 106 that will analyze this information and determine aconfidence factor as to whether the cursor movement is indicative ofclick fraud. The server 104, 106 or processing device performing theanalysis may be a different server from the server 102 hosting the webpage. This information may be sent via the hosting server 102 as anintermediary or it may be sent directly to the server 104, 106performing the analysis. In embodiments according to the presentinvention, the hosting server 102 may be same as the server that judges.

The web pages displayed on the website hosted by the server 102 insertpixel cluster transit monitoring markup or other mechanisms into the webpage to prevent click fraud from occurring on advertisements displayedon the website. In this regard, the server 102 monitors the transitionof a cursor movement (e.g., representing movements controlled by apointing device, software, automated mechanisms, etc.) on the web pageacross a pixel cluster towards an advertisement. Based on the detectionof one or more pixel clusters having been transited (i.e., traversed) bya cursor movement, the server determines a confidence factor as towhether the cursor movement is indicative of click fraud, a click fraudis occurring, or whether a clicking on the advertisement (ad) is in factvalid. If valid, a web page or information associated with clicking onthe advertisement may be displayed and appropriate charges may be sentto the advertiser based on the clicking of the advertisement.

FIG. 2 shows a diagram of a web page with pixel clusters surroundingadvertisements according to an example embodiment of the presentinvention. In this example embodiment, a web page 200 may include one ormore advertisements 210, 220, 230, 240 as well as a non-advertisementarea that contains other web page content 201. In this exampleembodiment, each advertisement 210, 220, 230, 240 may have pixelclusters that form a perimeter around the advertisement. Each pixelcluster may be associated with at least one mechanism used to detectcursor movement across a pixel cluster (e.g., applet, ActiveX controls,plugins, JavaScript and other browser scripting languages, browserextensions and code native to the browser, etc.) that is served alongwith the web page containing the advertisements. In this exampleembodiment, the advertisements are each shown to have four sides andeach advertisement 210, 220, 230, 240 may be surrounded by four pixelclusters. However, the present invention is not limited to four pixelclusters surrounding an advertisement as there may be as many or as fewpixel clusters as desired to form a perimeter around a targetadvertisement that are sufficient in order to insure that a cursormovement towards the advertisement transits a pixel cluster.

Therefore, in this example embodiment there are four advertisements 210,220, 230, 240 on the web page 200 where a first advertisement 210 mayhave four pixel clusters, 211-214 that form a perimeter around the firstadvertisement 210. A second advertisement 220 may have four pixelclusters 221-224 that form a perimeter around the second advertisement220. Similarly, a third advertisement 230 may have four pixel clusters231-234 that form a perimeter around the third advertisement 230, and afourth advertisement 240 may have four pixel clusters 241-244 that forma perimeter around the fourth advertisement 240. Information regardingcursor movements and when a cursor movement has transited a pixelcluster towards an advertisement 210, 220, 230, 240 may be received by aserver 102 that hosts the web page 200, or sent to and received by aclient device 101, or any other processing device 103, 104, 106 forprocessing.

Mechanisms or markup in the web page (e.g., applets) associated witheach pixel cluster 211-214, 221-224, 231-234, 241-244 capture the cursormovements over the associated pixels and may transmit this informationto an entity for processing. As noted previously, the entity may be theserver 102 that has served the web page 200, the client device 101, orany other processing device 103, 104, 106. Using this transitinformation, along with other information a confidence measure may beobtained regarding whether a click fraud is occurring. For example, asequence of a time duration that the web page 200 has been viewed,transit, and click may be analyzed to determine a confidence measurethat the sequence is in fact reasonable and that no click fraud hasoccurred. A timer associated with one of the applets may measure howlong the web page has been viewed. When the click occurs, the transitand the timer may be used to create a confidence factor that a clickfraud has not occurred.

To illustrate the present invention, the pixel clusters 211-214,221-224, 231-234, 241-244, have been shown in a rectangular shape.However, embodiments of the present invention are not limited by pixelclusters in this shape as pixel clusters may be in any shape and/or sizethat form a cluster around an advertisement and still be within thescope of the present application. Further, embodiments of the presentinvention may include pixel clusters that form a perimeter around aspecific advertisement where each pixel cluster is of a different shapeand/or size.

FIG. 3 shows a diagram of a web page where pixel clusters are located invarious places on the web page according to an example embodiment of thepresent invention. In this example embodiment, a web page 300 mayinclude an area containing non-advertisement web page content 301 andone or more areas containing advertisements 310-313. Further, a cursor330 may be displayed at a non-default location each time the web page300 is displayed. The web page 300 may also include a number of pixelclusters 320 that are located at various places throughout the web page300 and not just near the advertisements 310-313 on the web page 300.Each pixel cluster 320 may have at least one associated mechanism usedto detect cursor movement across a pixel cluster (e.g., applet, ActiveXcontrols, plugins, JavaScript and other browser scripting languages,browser extensions and code native to the browser, etc.) that is servedwhen the web page 300 is served/displayed.

FIG. 4 shows a flowchart of a process for pixel cluster transitmonitoring for detecting click fraud according to an example embodimentof the present invention. The process 400 includes in block 401,tracking a cursor being moved to a location of an advertisement on a webpage and a controller of the cursor clicking on the advertisement. Inblock 402, mechanisms (e.g., applets) associated with pixel clusters onthe web page capture that the cursor movement transited the associatedpixel clusters before the clicking of the advertisement. In optionalblock 403, a time duration that the web page has been viewed up to theclicking of the advertisement may be determined. In block 404, aconfidence level is determined based on the time duration, thetransiting and the clicking. In block 405, the confidence level may beused to determine whether the cursor movement is indicative of a clickfraud.

Instances where the mouse click occurred very quickly and withoutcrossing a pixel cluster would be judged to be click fraud with a highconfidence level. Those that crossed the pixel cluster and took a longerperiod of time would be judged not to be click fraud. A database ofsurveyed cursor movement data from human users can be used to adjust thethreshold values. There is inherently a tradeoff between increasing thedetection rate of actual click fraud detection and decreasing the rateof false alarms. Referencing a database of known cursor movement timingdata can allow the adjustment of the sensitivity of the detectionalgorithm to optimize it to desired preferences.

According to embodiments of the present invention, pixel clusters may beinserted onto a web page displaying advertisements by a server of apublisher that is hosting the web site or at a client device by clientcode (e.g., browser code) installed on the client device. As notedpreviously, the pixel clusters on the web page monitor cursor movementsacross the pixel clusters. Mechanisms (e.g., applets, software, or anyother means) associated with the pixel clusters may collect data frompixel clusters transited by the cursor and forward the collected data tobe processed to determine if a click fraud has been attempted. Theprocessing of the collected data from the pixel clusters may beprocessed by any processor and still be within the scope of the presentinvention. For example, the processing may be performed by the serverhosting the web page with the advertisement or by the client device thatis displaying the web page with the advertisement. Moreover, theprocessing may be performed by another entity outside of the server orthe client device. In this embodiment, some or all of the collected datamay be forwarded from the server or client device to the outside entityfor processing. The outside entity may analyze the collected data,determine if a click fraud is occurring, and forward the result of theanalysis back to the server or client device. The server or clientdevice may then take appropriate action based on the analysis. Theoutside entity may be a server or a client device.

FIG. 5 shows a flowchart of a process for displaying pixel clusters by aserver according to an example embodiment of the present invention. Theprocess 500 includes in block 501, an advertiser may provideadvertisement information to a publisher. In block 502, the publisherreceives the advertisement information and stores the advertisementinformation on a publisher server for insertion onto the display of aweb page of the publisher. In block 503, the publisher server mayprovide pixel clusters on the web page displaying the advertisement.These pixel clusters may be served along with the webpage each time theadvertisement on the web page is served. In block 504, mechanisms (e.g.,applets, ActiveX controls, plugins, JavaScript and other browserscripting languages, browser extensions and code native to the browser,etc.) associated with the pixel clusters may collect data from pixelclusters transited by cursor movements on the web page. These mechanismsmay be served along with the webpage by the server each time the webpage is served. In block 505, the server may analyze the cursor movementand determine a confidence level as to whether the cursor movement isindicative of click fraud, or alternatively, in block 506, the servermay send the cursor movement data to an outside entity for analysisand/or determination of a possible click fraud.

FIG. 6 shows a flowchart of a process for processing pixel clusterinformation according to an example embodiment of the present invention.The process 600 includes in block 601, a processing device (e.g.,server, client device, etc.) may receive data collected by monitoringcursor movements that have transited one or more pixel clusters towardsand advertisement on a web page. Data received may also include datagathered related to a timing of a view duration of the web page, datarelated to the transiting, data related to a speed of the cursortransiting each pixel cluster, data related to a click on theadvertisement when initially displayed during a short time duration inone of a transparent or an invisible font, or data related to theclicking of the advertisement. The collected data may be received from aserver, client device, or any other processing device. In block 602, theprocessing device may analyze the cursor movement data collected, aswell as any other received data. In block 603, the processing device maydetermine if the cursor movement is indicative of click fraud based onthe analysis (as discussed previously). In block 604, the processingdevice may notify the sender of the collected data (e.g., publisher ofthe web page with the advertisements, client device viewing the webpage, etc.) of the resultant determination. The processing device maynotify another entity, not associated with the sending of the collecteddata, of the determination either along with or without notifying thesender of the collected data.

FIG. 7 shows a flowchart of a process for displaying pixel clusters by aclient device according to an example embodiment of the presentinvention. The process 700 includes in block 701, an advertiser providesadvertisement information to a publisher. In block 702, a publisherreceives the advertisement information and may store this information ona publisher server for insertion of the advertisement onto the displayof a web page of the publisher. In block 703, a client device accessesthe publisher's server and uses code on the client device to access anddisplay the web page displaying advertisement. The code (client code) onthe client device may be code integrated with a client browser, aseparate plug in used for the browser, modifications to the operatingsystem, a mouse device driver that works in concert with the browser,etc.

In block 704, the client code provides pixel clusters on the web pagedisplaying the advertisement. In block 705, the client code providesmechanisms associated with each pixel cluster that capture cursormovements that transit the pixel clusters on the web page. Themechanisms may be applets, ActiveX controls, plugins, JavaScript andother browser scripting languages, browser extensions and code native tothe browser, etc. The mechanisms may be provided by the browser when theweb page with the advertisement is displayed. In block 706, the clientdevice or client code may analyze the cursor movement and determinewhether the cursor movement is indicative of click fraud, oralternatively, in block 707, the client device or client code may sendthe cursor movement data to an outside entity for analysis and/ordetermination of a possible click fraud.

In some embodiments according to the present invention, the initialpresentation of the advertisements (e.g., some fraction of a second) maybe displayed in a transparent or invisible font and then later madevisible. A click on the ad during the invisible period may also betransmitted as data used to return a confidence level for possible clickfraud.

Further, in some embodiments according to the present invention, theperimeter boundary around an ad may be multiple pixels thick and thespeed of the cursor transit through the boundary may be measured andfactored into the confidence level determination.

In addition in some embodiments according to the present invention,multiple boundary layers may be used. Moreover, in some embodimentsaccording to the present invention, boundary layers may be varied inplacement (e.g., an adjacent perimeter, a perimeter several pixels awayfrom the target ad, perimeters at different pixel lengths away from thetarget ad, varied by segment, etc.). The variation may also bepseudo-random.

Embodiments according to the present invention also allow a server tounderstand that the incoming client is using speech recognition or otherautomated mechanisms for manipulating the cursor and keyboard (as theperimeter pixel clusters will not have been traversed).

Moreover, by implementing system and method embodiments according to thepresent invention, using pixel cluster traversal, it is possible toextrapolate with reasonable confidence that the end user is beingfacilitated in manipulating their local GUI. In instances like this theserver may respond with a more intelligent user interface and on screenassistance.

Embodiments according to the present invention may be used for otherpurposes. For example, servers may provide additional support, orindeed, different interfaces to those users that are employing assistivedevices, or whose perimeter-traversal patterns indicates difficulty inmanipulating the cursor. As the perimeter traversal patterns associatedwith a user are identified, these patterns can be evaluated to determineif they match patterns known from particular assistive accommodations.When a pattern is identified, the server may choose to use theinformation to provide a different user interface, to provide targetedadvertising, to capture different metrics, to provide greater assistanceor so on. For example, a financial site may have a mortgage calculatoror the like, which requires entries to be made within a time period.Understanding that the user has difficulty may result in the siteproviding a click to call interface to a help desk.

The flowcharts and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems which perform the specified functions or acts, or combinationsof special purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

Although specific embodiments have been illustrated and describedherein, those of ordinary skill in the art appreciate that anyarrangement which is calculated to achieve the same purpose may besubstituted for the specific embodiments shown and that the inventionhas other applications in other environments. This application isintended to cover any adaptations or variations of the presentinvention. The following claims are in no way intended to limit thescope of the invention to the specific embodiments described herein.

That which is claimed is:
 1. A method for detecting click fraudcomprising receiving, by a processing device, data related to a cursormovement towards an advertisement displayed on a web page; receiving, bythe processing device, cursor movement data that the cursor on the webpage has transited at least one pixel cluster of a plurality of pixelclusters on the web page prior to a click on the advertisement, eachpixel cluster comprising boundaries and the pixel clusters form aperimeter around the advertisement so the cursor has to move across theboundaries of the at least one pixel cluster to reach the advertisement;analyzing, by the processing device, the cursor movement data; anddetermining, by the processing device, a confidence level used m thedetermination of click fraud, said confidence level being responsive tothe analysis of the cursor movement.
 2. The method according to claim 1,further comprising determining the confidence level based on at leastthe transiting, and the clicking, the confidence level being used m thedetermination of click fraud.
 3. The method according to claim 2,further comprising receiving data regarding a measured speed of thecursor transiting each pixel cluster and factoring the measured speeddata into the confidence level determination.
 4. The method according toclaim 2, further comprising receiving data related to the click on theadvertisement when the advertisement has been displayed initially for ashort time duration m one of a transparent or an invisible font, theclick on the advertisement during the short time duration data beingfactored into the confidence level determination.
 5. The methodaccording to claim 1, further comprising analyzing the cursor movementdata by determining whether the click occurred without crossing the atleast one pixel cluster, and determining a click fraud when the clickoccurred without the cursor crossing the at least one pixel cluster andno click fraud occurring when the click occurred after the cursorcrossed the at least one pixel cluster.
 6. The method according to claim1, further comprising receiving data captured by mechanisms associatedwith each pixel cluster regarding pixel clusters transited by the cursormovement.
 7. A processing device comprising: a processor, a memoryassociated with the processor, a module stored on the memory thatreceives data related to a cursor movement towards an advertisementdisplayed on a web page when executed by the processor, the modulereceiving cursor movement data that the cursor on the web page hastransited at least one pixel cluster of a plurality of pixel clusters onthe web page prior to a click on the advertisement, each pixel clustercomprising boundaries and the pixel clusters form a perimeter around theadvertisement so the cursor has to move across the boundaries of the atleast one pixel cluster to reach the advertisement; a module stored onthe memory that analyzes the cursor movement data when executed by theprocessor, and a module stored on the memory that determines aconfidence level used m the determination of click fraud when executedby the processor, said confidence level being responsive to the analysisof the cursor movement.
 8. The device according to claim 7, wherein datarelated to the click on the advertisement when the advertisement hasbeen displayed initially for a short time duration m one of atransparent or an invisible font is received and factored into theconfidence level determination.
 9. The device according to claim 7,further comprising the module analyzing the cursor movement data bydetermining whether the click occurred without crossing a pixel cluster,and determining a click fraud when the click occurred without the cursorcrossing a pixel cluster and no click fraud occurring when the clickoccurred after the cursor crossed a pixel cluster.
 10. The deviceaccording to claim 7, further comprising mechanisms associated with thepixel clusters on the web page that are configured to capture dataregarding the pixel clusters being transited by the cursor movement. 11.The device according to claim 7, further comprising the processorreceiving data related to at least one of a view duration of the webpage from the time it was initially loaded to the time of the clickingon the advertisement, a measured speed of the cursor transiting eachpixel cluster, or the click on the advertisement when the advertisementhas been displayed initially for a short time duration in one of atransparent or an invisible font, each of the view duration data, themeasured speed data, and the click on the advertisement during the shorttime duration data being used in the analysis to determine theconfidence level.
 12. The device according to claim 11, furthercomprising the processor determining the confidence level based on thetiming, the transiting, and the clicking, the confidence level beingused in the determination of a click fraud.
 13. A computer programproduct comprising a non-transitory computer useable storage mediumhaving computer useable program code embodied therewith, the computeruseable program code comprising: computer useable program codeconfigured to receive data related to a cursor movement towards anadvertisement displayed on a web page; computer useable program codeconfigured to receive cursor movement data that the cursor on the webpage has transited at least one pixel cluster of a plurality of pixelclusters on the web page prior to a click on the advertisement, eachpixel cluster comprising boundaries and the pixel clusters forming aperimeter around the advertisement so the cursor has to move across theboundaries of the at least one pixel cluster to reach the advertisement;computer useable program code configured to analyze the cursor movementdata, and computer useable program code configured to determine aconfidence level used in the determination of click fraud, saidconfidence level being responsive to the analysis of the cursormovement.
 14. The computer program product according to claim 13,further comprising computer useable program code configured to determinethe confidence level based on at least transiting, and clicking on theadvertisement, the confidence level being used m the determination ofthe confidence level useable m the determination of click fraud.
 15. Thecomputer program product according to claim 13, further comprisingcomputer useable program code configured to receive data regarding ameasured speed of the cursor transiting each pixel cluster and factoringthe measured speed data into the confidence level determination.
 16. Thecomputer program product according to claim 13, further comprisingcomputer useable program code configured to receive data related to theclick on the advertisement when the advertisement has been displayedinitially for a short time duration in one of a transparent or aninvisible font, the click on the advertisement during the short timeduration data being factored into the confidence level determination.17. The computer program product according to claim 13, furthercomprising computer useable program code configured to analyze thecursor movement data by determining whether the click occurred withoutcrossing the at least one pixel cluster, and determining click fraudwhen the click occurred without the cursor crossing the at least onepixel cluster and no click fraud occurring when the click occurred afterthe cursor crossed the at least one pixel cluster.
 18. The computerprogram product according to claim 13, further comprising computeruseable program code configured to receive data captured by mechanismsassociated with each pixel cluster regarding pixel clusters transited bythe cursor movement.
 19. The method according to claim 1, wherein theweb page has at least one boundary layer generally disposed around theadvertisement, and wherein analyzing the cursor movement data comprisesdetermining whether the cursor movement crossed the boundary layer. 20.The method of claim 19, wherein the boundary layer is disposed atvarying pixel distances from the advertisement.
 21. The method accordingto claim 19, wherein the boundary layer is disposed based at least inpart on a pseudo-random variation.
 22. The method according to claim 21,wherein the pseudo-random variation comprises choosing disposition ofthe boundary layer from a group of possible dispositions.
 23. The methodof claim 22, wherein the group of possible dispositions comprisesdisposition of the boundary layer at least partially adjacent theperimeter of the advertisement and disposition of the boundary layer atleast partially a predetermined number of pixels from the perimeter ofthe advertisement.
 24. The method according to claim 19, wherein the webpage has two or more boundary layers, each boundary layer generallydisposed around the advertisement, and wherein analyzing the cursormovement data comprising determining whether the cursor movement crossedeach of the boundary layers.
 25. The method of claim 24, wherein the twoor more boundary layers are each disposed based at least m part on apseudo-random variation comprising choosing disposition of each of theboundary layers from a group of possible dispositions.
 26. The method ofclaim 25, wherein the group of possible dispositions comprises disposingeach of the boundary layers at different predetermined numbers of pixelsfrom the perimeter of the advertisement.
 27. The method of claim 1,further comprising moving the cursor to a predefined location when theweb page comes up with the advertisement, the cursor being required tobe moved by a user completely across the boundaries of the at least onepixel cluster to reach the advertisement.
 28. The method of claim 1,further comprising moving the cursor to a predefined location when theweb page comes up with the advertisement, the cursor being required tobe moved by a user to reach the advertisement.
 29. The method of claim28, further comprising using a list of predefined locations orpseudo-random generated locations for moving the cursor to thepredefined location when the web page comes up with the advertisement.30. The method of claim 1, further comprising providing the plurality ofpixel clusters along with the webpage each time the advertisement on theweb page is served, wherein a location of each pixel cluster ispredetermined when the advertisement is served.